In-depth security news and investigation

Posts Tagged: ic3

The fraudsters behind the often laughable Nigerian prince email scams have long since branched out into far more serious and lucrative forms of fraud, including account takeovers, phishing, dating scams, and malware deployment. Combating such a multifarious menace can seem daunting, and it calls for concerted efforts to tackle the problem from many different angles. This post examines the work of a large, private group of volunteers dedicated to doing just that.

The FBI says BEC scams netted thieves more than $12 billion between 2013 and 2018. However, BEC scams succeed thanks to help from a variety of seemingly unrelated types of online fraud — most especially dating scams. I recently interviewed Ronnie Tokazowski, a reverse engineer at New York City-based security firm Flashpoint and something of an expert on BEC fraud.

Tokazowski is an expert on the subject thanks to his founding in 2015 of the BEC Mailing List, a private discussion group comprising more than 530 experts from a cross section of security firms, Internet and email providers and law enforcement agents that is dedicated to making life more difficult for scammers who perpetrate these schemes.

Earlier this month, Tokazowski was given the JD Falk award by the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) for his efforts in building and growing the BEC List (loyal readers here may recognize the M3AAWG name: KrebsOnSecurity received a different award from M3AAWG in 2014). M3AAWG presents its JD Falk Award annually to recognize “a project that helps protect the internet and embodies a spirit of volunteerism and community building.”

Here are some snippets from our conversation:

Brian Krebs (BK): You were given the award by M3AAWG in part for your role in starting the BEC mailing list, but more importantly for the list’s subsequent growth and impact on the BEC problem as a whole. Talk about why and how that got started and evolved.

Ronnie Tokazowski (RT): The why is that there’s a lot of money being lost to this type of fraud. If you just look at the financial losses across cybercrime — including ransomware, banking trojans and everything else — BEC is number one. Something like 63 percent of fraud losses reported to the FBI are related to it.

When we started the list around Christmas of 2015, it was just myself and one FBI agent. When we had our first conference in May 2016, there were about 20 people attending to try to figure out how to tackle all of the individual pieces of this type of fraud.

Fast forward to today, and the group now has about 530 people, we’ve now held three conferences, and collectively the group has directly or indirectly contributed to over 100 arrests for people involved in BEC scams.

BK: What did you discover as the group began to coalesce?

RT: As we started getting more and more people involved, we realized BEC was much broader than just phishing emails. These guys actually maintain vast networks of money mules, technical and logistical infrastructure, as well as tons of romance scam accounts that they have to maintain over time.

BK: I want to ask you more about the romance scam aspect of BEC fraud in just a moment, because that’s one of the most fascinating cogs in this enormous crime machine. But I’m curious about what short-term goals the group set in identifying the individuals behind these extremely lucrative scams?

RT: We wanted to start a collaboration group to fight BEC, and really a big part of that involved just trying to social engineer the actors and get them to click on links that we could use to find out more about them and where they’re coming from. Continue reading →

The same miscreants responsible for breaking into the networks of America’s top consumer and business data brokers appear to have also infiltrated and stolen huge amounts of data from theNational White Collar Crime Center (NW3C), a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.

The bot that was resident for almost 3 months inside of NW3C.

Last week, KrebsOnSecurity reported that entrepreneurs behind the underground criminal identity theft service ssndob[dot]ms also were responsible for operating a small but powerful collection of hacked computers exclusively at top data brokers, including LexisNexis, Dun & Bradstreet and HireRight/Kroll. A closer analysis of the Web server used to control that collection of hacked PCs shows that the attackers also had at least one infected system for several months this summer inside of the NW3c.

Core to the NW3C’s mission is its Investigative Support division, which according to the organization’s site “provides timely, relevant and effective services to member agencies involved in the prevention, investigation and prosecution of economic and high-tech crimes. The section has no investigative authority but can provide analytical assistance and perform public database searches.”

The NW3C said its analysts are frequently called upon to assist in establishing financial transaction patterns, developing possible links between criminal targets and associated criminal activity and providing link charts, timelines and graphs for court presentations. “Information obtained through public database searches can assist investigations by locating suspects, establishing property ownership and finding hidden assets, just to name a few of the benefits,” the organization’s Web site explains.

The NW3C also works with the Federal Bureau of Investigation (FBI) to run the Internet Crime Complaint Center (IC3), which accepts online Internet crime complaints from victims of cybercrime.

Neither the NW3C nor the IC3 responded to requests for comment on this story. FBI Spokeswoman Lindsay Godwin would say only that the FBI was “looking into it,” but declined to elaborate further, citing the ongoing nature of the investigation.

THE CRIME MACHINE

A number of indicators suggest that the attackers first gained access to the NW3C’s internal network on or around May 28, 2013. According to records in the online communications panel that the miscreants used to control their network of hacked systems, the affected NW3C server was taken offline on or around Aug. 17, 2013, indicating that the organization’s networks were compromised for approximately 11 weeks this summer. It’s not clear at this point why the miscreants marked this organization’s listing with a “(hacker)” designation, as shown in the snapshot of their botnet control panel below.

The attackers appear to have compromised a public-facing server at NW3C that was designed to handle incoming virtual private network (VPN) communications. Organizations frequently set up VPNs so that their remote employees can create an encrypted communications tunnel back to an otherwise closed network, and these setups are an integral component of most modern business applications.

A page from the ColdFusion exploit server used by the attackers.

Alarmingly, the machine name of the compromised NW3C system was “data.” On May 28, 2013, the attackers uploaded a file — nbc.exe — designed to open up an encrypted tunnel of communications from the hacked VPN server to their botnet controller on the public Internet. This appears to be the same nbc.exe file that was found on the two hacked servers at LexisNexis.

Abundant evidence left behind by the attackers suggests that they broke into the NW3C using a Web-based attack tool that focuses on exploiting recently-patched weaknesses in servers powered by ColdFusion, a Web application platform owned by Adobe Systems. I managed to get hold of the multiple exploits used in the attack server, and shared them with Adobe and with Rob Brooks-Bilson, a ColdFusion expert and author of the O’Reilly books Programming ColdFusion MX and Programming ColdFusion.

Although some of the exploits were listed as “0day” in the attack tool — suggesting they were zero-day, unpatched vulnerabilities in Adobe ColdFusion — Bilson said alloftheexploits appear to attack vulnerabilities that are fixed in the most recent versions of ColdFusion. For example, three of the four exploits seems to have involved CVE-2013-0632, a vulnerability that Adobe first patched in January 2013, not long after the flaw was first spotted in actual zero-day online attacks. The remaining exploit in the attack kit targets a bug that Adobe fixed in 2010.

“The big issue with ColdFusion is that so many people install and set it up without following any of Adobe’s hardening guidelines,” Brooks-Bilson said in an email to KrebsOnSecurity. “Most of the exploits that have come out in the recent past have all worked via a similar mechanism that is easily mitigated by following Adobe’s guide. Of course, so many people disregard that advice and end up with servers that are easily compromised.”

STEALING DATA ON VICTIMS AND FELLOW CROOKS ALIKE

The ColdFusion exploit server contains plenty of records indicating that the attackers in this case plundered many of the databases that they were able to access while inside of NW3C. Part of the reason for the persistence of this evidence has to do with the way that the attackers queried local databases and offloaded stolen data. It appears that once inside the NW3C’s network, the bad guys quickly scanned all of the organization’s systems for security vulnerabilities and database servers. They also uploaded a Web-based “shell” which let them gain remote access to the hacked server via a Web browser.

The attack server and shell also let the attackers execute system commands on the compromised hosts, which appear to be Microsoft IIS servers. Their method also left a detailed (if not complete) log of many of their activities inside the network. One of the first things the attackers did upon compromising the “Data” server on the network was run a query that forced the local database to dump a copy of itself to a file — including a list of the authorized users and passwords — that the attackers could download.

A snippet of redacted complaint data stolen from IC3.

The bad guys in this case also appear to have used their access to the NW3C to steal 10 years’ worth of consumer complaint information from the Internet Crime Complaint Center (IC3), the aforementioned partnership between the NW3C and the FBI that tracks complaints about cybercrime.

Present on the attacker’s server are some 2.659 million records apparently lifted from the IC3. The records range in date from about the time of the IC3’s inception — May 8, 2000 — to Jan. 22, 2013.

It’s not clear if the stolen IC3 data set includes all of the consumer complaints ever filed, but it seems likely that the archive is lacking just the past few months of records. In a report released earlier this year, the IC3 said it was receiving about 24,000 complaints per month, and that consumers had filed 289,874 complaints last year. The IC3’s site doesn’t maintain annual complaint numbers prior to 2003, but according to the site some 2.35 million have been filed with the system since then. To put the year-over-year growth in complaints in perspective, the IC3 said it wasn’t until 2007 — nearly seven years after its birth — that the organization received its millionth complaint.

New fees levied by financial institutions are likely to push many small businesses into banking online, whether or not they are aware of and prepared for the types of sophisticated cyber attacks that have cost organizations tens of millions of dollars in recent months.

On the way home from the store last week I caught a Public Radio/Marketplace story in which the radio show interviewed a small business owner who was nudged into banking online after discovering a $9.99 fee had been added to her business banking account for the privilege of continuing to receive paper statements each month.

The angle of the story was the unfairness of the new fees, considering the estimated 12 million people in the United States who have no or only slow access to the Internet. In the following snippet from that program, Marketplace’s David Brancaccio interviewed a woman from Northern New Hampshire:

“The bank with her personal account still sends monthly statements printed on paper, through the mail, for free. Old school. But this year, one of her business accounts started charging money for paper statements.

Johnson: That’s right.

Brancaccio: How much?

Johnson: $9.99 a month.

Brancaccio: Really?

Johnson: Yes.

Brancaccio: When did you actually notice?

Johnson: My bank statement, my paper bank statement! is how I found it!

“It’s a growing trend in banking. For instance, Bank of America has something called the E-banking account where paper statements and routine visits to a human teller cost money. It’s now in more than three dozen states. B of A says techno-savvy customers seem fine with online-only in exchange for no minimum cash balances in the account.”

Johnson didn’t say which bank her commercial account was at. And for its part, BofA’s eBanking plan only applies to consumer accounts, not businesses. But if this type of trend becomes more mainstream among commercial banking customers, more and more small businesses will be pushed into banking online without knowing how to protect themselves from organized cyber thieves that have stolen at least $70 million from small to mid-sized organizations over the last few years.

Reported losses from online fraud more than doubled last year, from $265 million in 2008 to nearly $560 million in 2009, according to figures released Friday by the FBI.

The figures come from complaints referred to the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center. Last year, the IC3 received some 336,655 complaints, a 22.3 percent increase from the year prior.

Ironically, among the largest sources of complaints (16.6 percent) were e-mail scams that fraudulently used the FBI’s name to gain information from the recipient. Of the top five categories reported to law enforcement during 2009, non-delivered merchandise and/or payment fraud ranked nearly 20 percent; identity theft 14 percent; credit card and auction fraud, just over 10 percent each. The median dollar loss was $575, while the highest median losses were associated with investment fraud ($3,200), overpayment fraud ($2,500) and advanced-fee fraud ($1,500).